Potential lock of rewards in the custody contracts

[code423n4]

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/custody_beth/src/distribution.rs#L110-L115 https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/custody_bluna/src/distribution.rs#L109-L114

Vulnerability details

Impact

The swap_to_stable_denom function in the custody contracts swaps all other native tokens into a specific one. The function creates swap messages for all the other native tokens and adds them as sub-messages, and handles the reply only when the last sub-message succeeds. Upon receiving the reply, the contract sends the swapped tokens (i.e., rewards) to the overseer contract.

In cases where the last sub-message fails, the custody contract will not receive a reply, and therefore the rewards are left in the contract. The rewards are locked in the contract until someone triggers swap_to_stable_denom again, and the last swap succeeds. However, if the last swap consistently fails in some period for any reason, the total rewards will be locked in the contract during that period. As a result, users cannot get the rewards they are supposed to receive in that period.

Proof of Concept

Referenced code: custody_beth/src/distribution.rs#L110-L115 custody_bluna/src/distribution.rs#L109-L114

Recommended Mitigation Steps

Consider handling the reply on either success or failure, i.e., using ReplyOn::Always, to avoid the failure of the swap to cause tokens to be locked.

[GalloDaSballo]

Relient on external conditions, Severity seems appropriate